instantly-security-basics
Apply Instantly.ai security best practices for API keys, scopes, and access control. Use when securing API keys, implementing least-privilege access, or auditing Instantly workspace permissions. Trigger with phrases like "instantly security", "instantly api key safety", "instantly least privilege", "secure instantly", "instantly access control".
74
70%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./plugins/saas-packs/instantly-pack/skills/instantly-security-basics/SKILL.mdQuality
Discovery
89%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a well-structured skill description with strong completeness and distinctiveness. It clearly identifies the platform (Instantly.ai), the domain (security/access control), and provides explicit trigger phrases. The main weakness is that the specific capabilities could be more concrete—listing actual actions like 'rotate API keys', 'configure scope restrictions', or 'audit user roles' would strengthen specificity.
Suggestions
List more concrete actions beyond 'apply best practices'—e.g., 'rotate API keys, configure scope restrictions, audit user roles, revoke unused permissions' to improve specificity.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | It names the domain (Instantly.ai security) and some actions (API keys, scopes, access control, least-privilege access, auditing permissions), but the actions are somewhat general and not deeply concrete—e.g., it doesn't specify what 'apply best practices' entails in terms of specific steps like rotating keys, revoking scopes, or configuring workspace roles. | 2 / 3 |
Completeness | The description clearly answers both 'what' (apply Instantly.ai security best practices for API keys, scopes, and access control) and 'when' (securing API keys, implementing least-privilege access, auditing workspace permissions), with explicit trigger phrases provided. | 3 / 3 |
Trigger Term Quality | The description explicitly lists natural trigger phrases like 'instantly security', 'instantly api key safety', 'instantly least privilege', 'secure instantly', and 'instantly access control'. These cover a good range of terms a user would naturally say when needing this skill. | 3 / 3 |
Distinctiveness Conflict Risk | The description is highly specific to Instantly.ai security practices, which is a clear niche. The trigger terms all include 'instantly' combined with security-specific terms, making it very unlikely to conflict with generic security skills or other platform-specific skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
50%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a solid security-focused skill with good coverage of API key management, webhook validation, and audit logging. Its main weaknesses are reliance on undefined helper functions/classes that reduce true actionability, moderate verbosity with explanations Claude doesn't need, and a monolithic structure that could benefit from splitting detailed examples into referenced files. The security checklist is a strong addition.
Suggestions
Define or import the `instantly()` helper function and `InstantlyClient` class used throughout, or replace with raw fetch/axios calls so examples are truly executable.
Split detailed code examples (webhook setup, audit logging, key rotation) into separate referenced files to improve progressive disclosure and reduce the main file's length.
Add explicit error recovery steps to the key rotation workflow (e.g., 'If test call fails, revert to old key and investigate before proceeding').
Remove explanatory comments Claude already knows (e.g., '// NEVER hardcode API keys', '// BAD:', '// GOOD:') to improve conciseness.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is reasonably well-structured but includes some unnecessary verbosity — comments like '// NEVER hardcode API keys' and '// BAD:' / '// GOOD:' patterns are things Claude already knows. The secret manager example with Google Cloud is a nice touch but adds bulk. Some inline comments could be trimmed. | 2 / 3 |
Actionability | Code examples are mostly concrete and executable, but several rely on an undefined `instantly()` helper function that is never defined or imported, making them not truly copy-paste ready. The key rotation workflow mixes manual dashboard steps with code, and the `InstantlyClient` class is also undefined. The scope patterns and API endpoints are useful but unverified against actual Instantly API docs. | 2 / 3 |
Workflow Clarity | Steps are clearly numbered and sequenced, and the key rotation process includes a verification step (test call). However, the rotation workflow lacks explicit error recovery — what if the test call fails? The security checklist at the end is good but there's no explicit validate-then-proceed feedback loop for the overall security hardening process. | 2 / 3 |
Progressive Disclosure | The content is well-sectioned with clear headers, a checklist summary, and external resource links. However, the skill is quite long (~180 lines of content) and could benefit from splitting detailed code examples (webhook setup, audit logging, key rotation) into separate reference files. The 'Next Steps' reference to `instantly-prod-checklist` is good but the main body is monolithic. | 2 / 3 |
Total | 8 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
3e83543
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.